To select a specific VPC configuration for a penetration test in the Security Agent web app Running a penetration test against VPC resources in another AWS account

Connect agent to private VPC resources

If the application you want to run a penetration test on is not available on the public internet, you need to provide AWS Security Agent with a VPC configuration. AWS Security Agent will use this VPC configuration, including a VPC, subnet, and security groups, to access the application.

You grant AWS Security Agent general access to a VPC from the AWS Management Console. In the Security Agent web app, users select the specific configuration for a penetration test. == To add a VPC in the Agent Space

Navigate to the Agent Space overview page
Select Actions and then Edit penetration test configuration
Under the VPC heading, specify the VPC, Subnets, and Security groups

You can add up to 5 VPCs.

To select a specific VPC configuration for a penetration test in the Security Agent web app

Navigate to the Penetration Tests overview page
Select the penetration test that you need to add VPC configuration for, and then choose Modify pentest details
Select Next at the bottom of the page to reach the VPC Resources section
Select the VPC, Subnet, and Security groups
Select Next to reach the last section and Save the penetration test

Running a penetration test against VPC resources in another AWS account

You can run penetration tests against VPC resources shared with your account using AWS Resource Access Manager. Both accounts must be part of the same AWS Organization.

(Optional) Enable automatic resource sharing for your AWS organization


aws ram enable-sharing-with-aws-organization

Using credentials from the AWS account that owns the VPC resources, share subnet and security group resources with the penetration test owner account


aws ram create-resource-share \
    --name SharePentestResources \
    --resource-arns <subnet ARN> <security group ARN> \
    --principals <penetration test owner account ID>

Navigate to the Agent Space overview page
Select Penetration test and locate Service role name
Verify that the IAM role grants access to the shared VPC resources
Select Actions and then Edit penetration test configuration
Under the VPC heading, specify the shared VPC, Subnets, and Security groups and save the updated configuration.
Navigate to the Penetration Tests overview page on the AWS Security Agent web app
Select the penetration test that you need to add VPC configuration for, and then choose Modify pentest details
Update the penetration test to use the shared VPC resources

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create an IAM Role for AWS Security Agent

Enable users to start remediation of penetration test findings